1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to an event correlation system and method.
2. Description of the Related Art
Network intrusion detection systems (NIDS) such as Symantec ManHunt™ network intrusion detection system are capable of detecting actual and suspected internal and external intrusions, e.g., stealth scans, and denial-of-service attacks. The actual and suspected internal and external intrusions and denial-of-service attacks are referred to as threats. Other examples of threats include the actual and suspected detection of malicious code, e.g., a virus, on a host computer system. There are many other examples of threats depending upon the type of monitoring system being used.
The detection of a threat can be defined as an event. Generally, an event is an occurrence of some importance, e.g., has been identified as an occurrence that is to be monitored, and frequently one that has antecedent cause, e.g., is associated with malicious code.
Events are forwarded to a single correlation node, due the stateful nature of statistical and rules-based analysis systems. The single correlation node may also receive events from other systems. This allows the single correlation node to process all of the events on a network or a plurality of networks being monitored by the single correlation node.
However, the single correlation node is often faced with an information overload. More particularly, by providing the single correlation node information on all of the events on a network or a plurality of networks being monitored, the single correlation node is given more information than the single correlation node can readily process and analyze.